WooCommerce on the 23rd of March announced security updates to address a critical vulnerability in its WooCommerce Payments plugin, which is widely used by online stores hosted on platforms like Pressable, WordPress, and WordPress VIP. With a high Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, this issue demands immediate attention. In this blog post, we’ll discuss the implications of this vulnerability and provide clear guidance on how to protect your website.
The Vulnerability Explained: The vulnerability in question is an authentication bypass and privilege escalation issue. If exploited successfully, it allows an unauthenticated attacker to impersonate an administrator and take control of a website without any user interaction. This could have devastating consequences for both website owners and customers, as attackers may gain access to sensitive information, alter website content, or perform malicious activities.
Affected Versions: The vulnerability affects the WooCommerce Payments plugin versions between 4.8.0 and 5.6.1. It’s crucial to check your plugin version and update it as soon as possible if you’re running a vulnerable version.
Automatic Updates for WordPress.com Websites: Websites hosted on WordPress.com using vulnerable versions of the WooCommerce Payments plugin should receive automatic updates along with instructions on patching the vulnerability. Keep an eye out for notifications to ensure your site is protected.
Manual Update Process for Other Websites: If your website isn’t hosted on WordPress.com and uses the WooCommerce Payments plugin, follow these steps to manually update the plugin:
- Log in to your WordPress Admin dashboard.
- Click on the Plugins menu item and look for WooCommerce Payments in your list of plugins.
- Check the version number displayed in the Description column next to the plugin name. If it matches any of the following patched versions, no further action is needed: 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2.
- If a new version is available for download, follow the notice displayed on your dashboard to update the WooCommerce Payments plugin.
The recent critical vulnerability in the WooCommerce Payments plugin highlights the importance of keeping your website’s plugins up to date. By following the steps outlined in this blog post, you can ensure the security of your online store and safeguard it against potential attacks. Regularly monitoring for security updates and promptly applying patches will help you maintain a secure environment for your customers and your business.
The vulnerability was reported by Michael Mazzolini of GoldNetwork, who was conducting white-hat testing through WooCommerce’s HackerOne program. While a CVE was pending, it was rated a critical vulnerability with a CVSS score of 9.8
More information is available here:
https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/
Suggest an edit to this article
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
